How to Protect IoT Gateways from Security Vulnerabilities

Although IoT is Promising Innovation, You Must Be Careful About Security Vulnerabilities:

On October 2016, Dyn, a Domain Name Server (DNS) company was the target of a massive coordinated distributed denial of service (DDoS) attack leaving the world not able to connect to popular websites such as Twitter, Amazon.com, BBC, Reddit, Spotify, and more. DDoS attacks occur when multiple resources flood the bandwidth and/or resources of a targeted system which in turn overloads it, preventing it from fulfilling legitimate requests. This attack was carried out by installing malware on Internet of Things (IoT) enabled devices including baby monitors and cameras. Although IoT is touted as a promising, emerging innovation that will drive tremendous business value, attacks such as these highlight the security vulnerabilities that currently exist and their grave implications.

Internet of Things refers to a system of devices and sensors that connect to the Internet, allowing them to send and receive data without human intervention. The capturing and exchanging of data unlocks greater insights that, in turn, may unlock competitive advantages for businesses.

IoT Gateways Sit Between Your Ecosystem and the Cloud. Gateways translate fragmented IoT based protocols into a standard one.

In order to scale, IoT enabled devices need to operate on low power, which limits transmission distance and flexibility. It is not beneficial nor feasible to have to frequently change batteries of large amount (sometimes 1,000’s) of sensors and devices in a constrained environment. To account for these limitations, many different IoT focused communication protocols have emerged; strong protocols must have multicast support, asynchronous message exchange, low header overhead, simple parsing process, and URI + content-type support. Currently there is no standardization of IoT communication protocols and many different types exist (CoAP, MQTT, XMPP, AMQP, etc.), each with their own benefits and limitations. The rise of IoT enabled devices brings forth a new set of parameters and challenges which makes it extremely difficult to have a “magic bullet” that can solve all IoT security issues. Securing the Internet of Things requires an end to end approach and a wide range of security technologies.

Gateways are an important part of an IoT ecosystem but are a vulnerable, single point of hackability. Gateways can communicate with sensors/devices over varying protocols and then translate the data into standard protocol (such as HTTP) to be sent to the cloud. Gateway devices act as local processing units, enforcing network access control policies and is a mid-layer between physical IoT-enabled devices and the cloud/backend. As a result, gateways allow interoperability between devices, increases scalability (sensors/devices can communicate shorter distances with lower power to a centralized gateway that interfaces with back end system) and adds a layer of security for IoT environment (as sensors and devices aren’t communicating directly to cloud).

We have seen a strong surge in securing communication protocols and devices but you shouldn’t forget about IoT gateways! If hacked, all the devices within the environment can be compromised as well. Below we provide four of the most important vulnerabilities we believe you should focus on.

Architecture Design & Over the Air Updates Security: At a high level, the actual design of the system is an important step to maximize security. One must understand the critical role of all the devices and sensors in the ecosystem, as well as all the devices that interface with them. Firmware updates will take place within the ecosystem, and it is necessary to consider how these updates are taking place, and how to conduct them most securely.

Message Security: It is important to use strong end-to-end encryption methodologies. Messages should be encrypted and can only be decrypted by recipient using cryptographic keys. This allows gateway device to still accept and pass on data but it will not be able to read the data. Thus, in the case of a security compromise, the hacker will not be able to parse and read the data from the gateway device.

Device Onboarding Security: Device onboarding occurs when a new device is added within the constrained IoT ecosystem. Key management practices, and how keys are exchanged when new devices are accepted is a large security vulnerability. Physical tampering can also lead to private keys to be extracted. It is important to hone in on how these exchanges take place and implement strong key management practices and consider PUF (physical unclonable function) system.

Integrations Security: Lastly, IoT API security is an important consideration. IoT systems transmit and receive voluminous amounts of data and information, and it is important to be able to have secure data-movement between devices/sensors, gateway devices and back-end databases through REST-based APIs. Because integrations are vulnerable, one must continuously scan and test to ensure integrity of data within the system. One tool that can help with this is Soap UI.

Moving Forward…

Many people forget to look into IoT gateway devices. Gateway devices are an important part in Internet of Things ecosystem especially with the rise of many fragmented communication protocols and limitations that IoT-enabled devices face. We hope that this post helps identify the big security vulnerabilities we think you should look out for in regards to gateway devices so that you can maximize your chances for success using IoT.

Think you’re an IoT expert?

Check your knowledge with our IoT quiz and be entered to win a $100 gift card!